Detections
Analytics

1.134 APPL-14-004022

Information

The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.

GROUP ID: V-259555RULE ID: SV-259555r1050789

The file /etc/sudoers must include a timestamp_timout of 0.

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability or change user authenticators, it is critical the user reauthenticate.

Satisfies: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158

Solution

Configure the macOS system to require reauthentication when using "sudo" with the following command:

/usr/bin/find /etc/sudoers* -type f -exec sed -i '' '/timestamp_timeout/d' '{}' ;/bin/echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/mscp

See Also

https://workbench.cisecurity.org/benchmarks/24070

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-11, CAT|II, CCI|CCI-002038, CCI|CCI-004895, Rule-ID|SV-259555r1050789_rule, STIG-ID|APPL-14-004022, Vuln-ID|V-259555

Plugin: Unix

Control ID: 70c253f0c11d3bfaf0ebf2680b1c545f4336b4611a36f171757125fbab923a16